2011 – Review; 2012 – Forecast.

For quite a while now we’ve had a bit of an annual tradition in the run-up to the New Year festivities – every December we summarize all the security goings-on of the last 12 months, and then prophesize a bit about what’s in store in the coming year. This year we did our roundup and predictions – covering all sorts of, regrettably, frightening stuff – at a press conference in Moscow last Monday. It was a pretty stylish event – with a hospital theme as you can see from the pic below. But I won’t go over all that again here. Here’s the original text used at the press conference, and here’s a link to the pdf summary.

Here, let me outline the main points in our review/prognosis.

Just a couple of years ago cyber scoundrels were mostly robbing average home users. This year they decided not to settle for small pickings but to go after the big cheeses – large and medium-sized companies. Then of course we’ve seen governments this year become actively involved in cyber-armament. And throughout the whole year we’ve seen almost back-to-back reports in the news about serious break-ins, for example at Sony, Mitsubishi, HBGary and RSA and different governmental organizations. We rounded it all up and put it in our report… and it turns out that in 2011 cyber-attacks did not affect only 10% of companies (or maybe they just didn’t notice?)…

As regards the coming year, there will be more and more attacks on companies (especially big ones), and the attacks will become more and more successful at achieving their aims. Attacks on industrial systems (like Stuxnet) can’t be ruled out. And such attacks will become the main news items of 2012.

Here I want to expand on a couple of my other forecasts.

It’s not a rare occurrence when someone from the security industry makes an official statement and then it gets all distorted by scoop-hunting media. After our press conference this time in Moscow I was lucky to get just one “screw-up” by the local press of an idea I espoused (though it has to be said that the publication in question later made a correction). The idea was my forecast about the future of Internet access from the workplace. So here it is again, from the horse’s mouth…

Accessing the Internet from the office is here to stay. Can you imagine business without the Internet? Yeah, me neither. Though some people had me down as saying just the opposite – that in the future there’ll be no Internet access from the workplace at all. What I said was that companies and governments will introduce dedicated terminals for working with confidential data; terminals shared by employees as and when they need access to this confidential data. These terminals will be fully unplugged from the Internet and running proprietary operating systems and applications. Soon this idea will go mainstream – you watch.

Such a thing is no breakthrough – nothing terribly new; today there exist organizations where such an approach has already been introduced. But they’re not all that original either. In fact this segregation is already very, very old, and all of you will know plenty about its predecessor. It’s the system of paper, drawers, filing cabinets, archive storage and the like. Keeping things – confidential things – on paper, and only on paper. Used the world over, particularly zealously perfected in military organizations. You wanna read a super-duper secret doc? Welcome to the special archive-repository. You show your pass and sign for a file, and right there and then read it under the beady eye of the archivist. No borrowing it and perusing it in the comfort of your own home with a coffee and some mellow beats on. Oh, no. Sure, it’s tough; but hey, when state and military secrets are at stake, let’s face it, humanism and usability don’t come into it!

Anyway, there’s already something similar for electronic information. And as time passes, the more such an approach will become popular. Need to read your e-mails or the news? Use your regular laptop, with all the attendant Internet niceties and comforts. Need to work with “sanitized” information – be so kind as to sit at a dedicated, well-protected – disconnected – terminal. In an ideal situation such a terminal is not only fully disconnected from the WWW (strictly no “gateway” solutions!), but also runs a unique proprietary operating system, which comes bundled with equally unique proprietary applications.

So what is this draconian measure for?

Alas, in our incident report we see that it’s the only way governments and businesses can protect their data assets and, by extension, ensure safety on the whole.

Any connection with the Internet represents a potential threat to confidential data.

Why? First and foremost this is because absolute protection doesn’t exist. (This is made worse by today’s WWW architecture and software weakening overall protection more and more.) Second, on the other side of the barricades it’s not pimply teen cyber-thugs with delusions of grandeur any more, and not even reasonably sophisticated cybercriminals. No, the other side is now populated with very highly-organized, very highly-financed, progressive professionals supported by nation states or large competing corporations. The third reason why the Internet represents a potential threat is that the most vulnerable point of any victim – from which there’s no remedy – is the human factor. Most targeted attacks today from the technological point of view are very basic; however, they normally use clever methods of social engineering and spear phishing. Faced with this multi-threat-causing mega-weak-point – otherwise known as the Internet – clearly the best solution is to cut the whole thing off – amputate it – so it can’t spread to the other parts of the “body”. I already know of quite a few organizations that have already done this. Expect thousands more to soon follow…

Intermission! Photos from the Review/Forecast press conference in Moscow:

The Russian press covered this issue quite well, noting how my ideas have progressed and filled out with time :) But I’ll go over it once more, again from the horse’s mouth.

From the standpoint of personal security of users, it would be reasonable to divide Internet services into three categories. The first – red. In this category come the most critical services like online banking, electronic voting and other mission-critical services that require user authentication. Here it should be made mandatory to log on only with the use of a unique personal identifier (for example, a token – a sort of a cyber-passport) and establish a secure, authorized connection. The second category is yellow. Here we have resources requiring identification of one’s true identity via a cyber-passport to be able to use specific features. Finally there’s green – the public category. Here you can write, read, play, do anything you want (within limits of legality and decency, of course) – and completely anonymously if you want, but at your own risk. Just as what we all have now.

I admit in all of this there are many blind spots, many open questions to which I’ve no answers. But do write to me, make suggestions, ask… maybe we’ll get some clarity through discussion. All I ask is please don’t get all cynical and come up with things like: “It’ll all get hacked anyway, so why even bother,” and so on. Yes, of course there’ll be hacking! Nowhere – and nowhere more so than in infosec – can there ever be a panacea – pills against everything and forever. There’ll always be a likelihood of hacking, always be weapons against armor, good against evil… it’s the nature of the world as we know it and there’s no getting away from it.

But this shouldn’t stop us taking the initiative and having a pop back at the cyber-threats themselves. The best form of defense is after all attack. So let’s get at ‘em – so they aren’t able to get up again after being knocked down! If we wait and respond only reactively to these problems as and when they arise – it just won’t work; no, more than that – it’s a recipe for disaster.

Before any battle the general has a concept – a plan. I’ve just given you mine. But will the powers listen to it? Will you?

Like this:

Related

9 Responses to “2011 – Review; 2012 – Forecast.”

am a kaspersky user am now using 2011 license is valid for one yearly activation cod Q9C9E-CXEE8-VJ5HJ-E3ACF my cmputer cused and it format I re setup it agan but they wear gave trial for one month stele I had 289 days lifting my personel ID: 0441838662 AM asking lab support to solved this proplem thanks

Dear Eugene Kaspersky …
Again and always you prove that eminent scientist and a mathematician, is also a metaphysical philosopher of our times.
Eugene, I am not “expert” in math as you, in fact, my grades in high school days in mathematics, physics and chemistry were very bad, though born as a historian I can say without fear of committing a gaffe, that its tendency “philosophical” is what helps to define and much of his brilliant defense of theses and theories of data that is already in high progression through the efforts of his talent and his competent staff.
His explanations of what is unfolding in terms of challenges for the year 2012 are fully consistent and closed with “golden key” when the end of his story you mention the phrase that sums up the entire logical deductive reasoning:
“The eternal struggle of good against evil”
Eugene … Get the full support of all of us the real benefit of his brilliant creations.
Create what you create is always the result of the work of a scientist who puts the “welfare” of people in front of immediate profit.
When I was a military adoptable simple procedure that is used in computer and much disturb the lives of “Keyloggers” which was “password reversed” “password”. We know they copy our passwords very easily, but if we adopted some simple procedures, we could at some point create a barrier for these “pirates” of the Internet.
Dear Eugene …
When I remember the fable of the “Ant and the Elephant” I think maybe there are things “simple” among the most complex that could greatly help protect our lives.
“Again and again, many thanks for everything dear friend Eugene Kaspersky”
Lots of Health, Peace and Prosperity for this coming year 2012 for “You” and his entire team of “Kaspersky” Labs.
Sincerely …
Mario Madrigrano Jaber – São Paulo – SP – BRAZIL

I think the plan has many merits.
The main problem I see is implementation on a global level. Getting a world wide standard in use would be difficult. Other issues may arise in some countries where appropriate documentation may not be easily obtainable for proof of identity.
One possible option would be to limit the red zone to the country in which the user currently holds citizenship but this essentially limits those, like yourself, who constantly travel or those who may have banking or other financial services abroad.
One other concern would be the fact that users may be required to put more information online than they already do. E.g: With my internet banking, the bank knows me by my user ID and password. This new plan would require a ID based off something as unique as my name in a lot of cases and tied to other high risk websites.
It’s a huge task to undertake, but successfully implemented could be very helpful.

Selected Interviews

'We are close, very close, to cyber terrorism. Perhaps already the criminals have sold their skills to the terrorists - and then...oh, God.' ... more

'It's a challenge interviewing Eugene Kaspersky – and I've done it a few times. You come prepared with a list of questions, but he doesn't answer any of them. At least not in the way you expect or want.' ... more

'Believe it or not, my primary concern is making the world a cleaner place. Money is important; but if I do my job well, that will take care of itself.' ... more